Google Is Trying To Kill Passwords. But What Should Replace Them?

Google is testing out a new way to sign into their services – and it nixes one of the most annoying security measures out there: passwords. The tech giant is trying out a feature that lets some users confirm their identity just by using their smartphones.

The move is not only just the latest sign that the tech industry is trying to get users away from passwords, but it’s also the latest sign that companies still aren’t quite sure how to replace them yet.

Passwords are almost impossible to escape right now, but keeping track of the dozens you need just to navigate your daily online life can be maddening.

And they’re also almost universally hated: Creating strong, unique passwords can feel like pulling teeth and reusing them can leave you vulnerable when a service you rely on gets breached. Moreover, data from those almost inevitable breaches shows that people keep sticking to such ridiculously easy to guess passwords as “123456” or, well, “password.”

“Right now it’s relatively convenient to have a simple password,” said Alvaro Bedoya, the executive director of Georgetown Law’s Center on Privacy & Technology. “But as hacks increase and breaches proliferate, people are starting to realize that also may be dangerous.”

Many big sites and services now offer two-factor authentication – an added layer of protection that often works by making you enter a code that’s delivered to your phone via text messages or an app.

Google’s new test seems to be a lot like just taking the password part out of this common two-factor equation – and it appears to be very similar to a system Yahoo launched for its mail app users earlier this year.

“We’ve invited a small group of users to help test a new way to sign-in to their Google accounts, no password required,” a Google spokesperson confirmed, adding that the days of “password” and “123456” are numbered.

The system is pretty straightforward, according to a reddit post from user rp1226 that appears to have first brought the test to light. “You authorize your phone to allow you to log in to your account. You go into a computer and type in your email. Then you get a message on your phone to allow the login. If you hit yes, the computer logs into your Google account without a password,” he wrote.

The test works for both Android and iOS devices and users can still use their password to login as normal if they don’t have their phone handy. If you lose your phone, the device’s lock screen should protect your accounts from falling into the wrong hands, and you can revoke access to the feature from a device at anytime, according to a copy of documentation accompanying the test posted by the reddit user.

But there are some pitfalls to phone-only approach: If someone is able to access your phone while it’s unlocked, they could potentially log in to your account. (Although, presumably, if they have your unlocked phone they’ve already gotten to a treasure trove of your personal data that probably includes your inbox.)

Another booming password alternative is biometrics, which use physical characteristics like your fingerprints to prove who you are.

Fingerprint scanning is already happening with newer iPhones around the world and in some workplaces. The method can be appealing because unlike passwords, you aren’t really able to forget your fingerprints. But that’s also a potential problem: Your fingerprints are permanent, so they can’t be changed even if, say, they are among a massive trove of prints compromised by a hack at a major government agency.

And unlike passwords, they aren’t secrets: You leave them on a lot of things you touch and some research has even suggested fakes good enough to fool some systems can be made from high resolution photos of your hands.

Companies are exploring these alternatives because of the obvious issues with passwords and concerns that consumers won’t want to go through the added steps involved in multi-factor verification methods.

But Bedoya says people and companies should think carefully before relying solely on any one type of authentication because they each come with their own risks.

“At the end of the day, the more factors you add – the more secure you are,” he said.